admin管理员组文章数量:1406060
I'm trying to set PIM for Entra groups using terraform.
variable "entra_groups" {
description = "entra groups"
type = map(object({
display_name = string
security_enabled = bool
assignable_to_role = bool
security_group_owners = list(string)
security_group_members = list(string)
assignment_type = string
# duration = string
users_pim = list(string)
}))
default = {}
}
resource "azuread_group" "group" {
for_each = var.entra_groups
display_name = each.value["display_name"]
owners = concat(data.azuread_users.group-owners[each.key].object_ids, [data.azuread_client_config.current.object_id])
members = data.azuread_service_principals.group-members[each.key].object_ids
security_enabled = each.value["security_enabled"]
assignable_to_role = each.value["assignable_to_role"]
}
data "azuread_users" "group-owners" {
for_each = var.entra_groups
user_principal_names = each.value["security_group_owners"]
ignore_missing = true
}
data "azuread_service_principals" "group-members" {
for_each = var.entra_groups
object_ids = each.value["security_group_members"]
}
data "azuread_users" "group-members-users" {
for_each = var.entra_groups
user_principal_names = each.value.users_pim
#ignore_missing = true
}
resource "azuread_privileged_access_group_assignment_schedule" "active-pim-assignment" {
for_each = var.entra_groups
group_id = azuread_group.group[each.key].object_id
principal_id = data.azuread_users.group-members-users[each.key].object_id
assignment_type = each.value["assignment_type"]
duration = "P180D"
justification = "as requested"
# start_date = "2025-03-06T01:02:03Z"
# expiration_date = "2025-08-01T01:02:03Z"
}
Inputs
entra_grd_irc_groups = {
group_01 = {
display_name = "test-grp"
description = "test"
security_enabled = true
assignable_to_role = true
security_group_owners = []
security_group_members = []
assignment_type = "member"
# duration = "P364D"
users_pim = [[email protected]]
}
}
I get the below error
╷ │ Error: Incorrect attribute value type │ │ on .terraform/modules/entra/groups/main.tf line 35, in resource "azuread_privileged_access_group_assignment_schedule" "group-pim-assignment": │ 35: principal_id = data.azuread_users.group-members-users[each.key] │ ├──────────────── │ │ data.azuread_users.group-members-users is object with 1 attributes │ │ each.key is "group_01" │ │ Inappropriate value for attribute "principal_id": string required.
I'm trying to set PIM for Entra groups using terraform.
variable "entra_groups" {
description = "entra groups"
type = map(object({
display_name = string
security_enabled = bool
assignable_to_role = bool
security_group_owners = list(string)
security_group_members = list(string)
assignment_type = string
# duration = string
users_pim = list(string)
}))
default = {}
}
resource "azuread_group" "group" {
for_each = var.entra_groups
display_name = each.value["display_name"]
owners = concat(data.azuread_users.group-owners[each.key].object_ids, [data.azuread_client_config.current.object_id])
members = data.azuread_service_principals.group-members[each.key].object_ids
security_enabled = each.value["security_enabled"]
assignable_to_role = each.value["assignable_to_role"]
}
data "azuread_users" "group-owners" {
for_each = var.entra_groups
user_principal_names = each.value["security_group_owners"]
ignore_missing = true
}
data "azuread_service_principals" "group-members" {
for_each = var.entra_groups
object_ids = each.value["security_group_members"]
}
data "azuread_users" "group-members-users" {
for_each = var.entra_groups
user_principal_names = each.value.users_pim
#ignore_missing = true
}
resource "azuread_privileged_access_group_assignment_schedule" "active-pim-assignment" {
for_each = var.entra_groups
group_id = azuread_group.group[each.key].object_id
principal_id = data.azuread_users.group-members-users[each.key].object_id
assignment_type = each.value["assignment_type"]
duration = "P180D"
justification = "as requested"
# start_date = "2025-03-06T01:02:03Z"
# expiration_date = "2025-08-01T01:02:03Z"
}
Inputs
entra_grd_irc_groups = {
group_01 = {
display_name = "test-grp"
description = "test"
security_enabled = true
assignable_to_role = true
security_group_owners = []
security_group_members = []
assignment_type = "member"
# duration = "P364D"
users_pim = [[email protected]]
}
}
I get the below error
╷ │ Error: Incorrect attribute value type │ │ on .terraform/modules/entra/groups/main.tf line 35, in resource "azuread_privileged_access_group_assignment_schedule" "group-pim-assignment": │ 35: principal_id = data.azuread_users.group-members-users[each.key] │ ├──────────────── │ │ data.azuread_users.group-members-users is object with 1 attributes │ │ each.key is "group_01" │ │ Inappropriate value for attribute "principal_id": string required.
Share Improve this question edited Mar 7 at 11:31 SRE asked Mar 6 at 17:18 SRESRE 32 bronze badges 3- Change principal_id = data.azuread_users.group-members-users[each.key].object_id to principal_id = data.azuread_users.group-members-users[each.key].object_ids[0] to extract a single string from the list @SRE – Vinay B Commented Mar 7 at 4:18
- silly me, thanks. it works – SRE Commented Mar 7 at 8:44
- Posting this as solution so that it will be helpful for walk-round on similar cases – Vinay B Commented Mar 7 at 9:50
1 Answer
Reset to default 0Getting the prinicipal_id from azuread_users data source using for each while using terraform
From the error descritpion "Inappropriate value for attribute principal_id" it seems to be principal ID from the resource "azuread_privileged_access_group_assignment_schedule" is fetching the info as list of objects but not as a single string.
The princple ID always need a single string, not a list & since vice versa happening so data.azuread_users.group-members-users[each.key].object_ids returns a list, you need to extract the first element.
Now change the Principal ID mentioned in resoruce plugin so that we extract the first element using [0]
Demo configuration:
resource "azuread_group" "group" {
for_each = var.entra_groups
display_name = each.value.display_name
owners = concat(data.azuread_users.group-owners[each.key].object_ids, [data.azuread_client_config.current.object_id])
members = data.azuread_service_principals.group-members[each.key].object_ids
security_enabled = each.value.security_enabled
assignable_to_role = each.value.assignable_to_role
}
data "azuread_users" "group-owners" {
for_each = var.entra_groups
user_principal_names = each.value.security_group_owners
ignore_missing = true
}
data "azuread_service_principals" "group-members" {
for_each = var.entra_groups
object_ids = each.value.security_group_members
}
data "azuread_users" "group-members-users" {
for_each = var.entra_groups
user_principal_names = each.value.users_pim
}
resource "azuread_privileged_access_group_assignment_schedule" "active-pim-assignment" {
for_each = var.entra_groups
group_id = azuread_group.group[each.key].object_id
principal_id = data.azuread_users.group-members-users[each.key].object_ids[0]
assignment_type = each.value.assignment_type
duration = "P180D"
justification = "As requested"
}
Deployment:
Refer:
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_assignment_schedule
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/users
本文标签:
版权声明:本文标题:How to get the prinicipal_id from azuread_users data source using for each [Azure Entra] [Terraform] - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744959648a2634573.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论